Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Thread

Weird problem with Microsoft domains

Weird problem with Microsoft domains

2018-11-20 by Stefan Suurmeijer

Hi list,

I've recently installed milter-greylist on 2 new servers. But I'm
running into a strange problem. Everything seems to work fine, except
for mails coming from Microsoft domains.
Every time someone sends an e-mail from a Microsoft domain,
milter-greylist throws a fit:

Nov 20 15:45:37 localhost milter-greylist: DKIM failed: Key retrieval failed
Nov 20 15:45:37 localhost sm-mta[26871]: wAKEjaDU026871: Milter: data,
reject=451 4.3.2 Please try again later

This happens ONLY on Microsoft domains. And on every mail and re-send.
All other domains are handled normally it seems. I've been searching for
reasons, but coming up empty. The only weird thing I can find is that
Microsoft seems to have some configuration issues on DKIM:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; 
s=selector1;

nslookup:
/root@myhost:~# nslookup//
//> set q=txt//
//> selector1._domainkey.outlook.com//
//;; Truncated, retrying in TCP mode.//
//Server:         127.0.0.53//
//Address:        127.0.0.53#53//
//
//Non-authoritative answer://
//selector1._domainkey.outlook.com        canonical name =
selector1._domainkey.outbound.protection.outlook.com.//
//
//Authoritative answers can be found from://
//> selector1._domainkey.outbound.protection.outlook.com//
//;; Truncated, retrying in TCP mode.//
//Server:         127.0.0.53//
//Address:        127.0.0.53#53//
//
//Non-authoritative answer://
//*** Can't find selector1._domainkey.outbound.protection.outlook.com:
No answer//
//
//Authoritative answers can be found from:/

That's not good? Can't resolve the DKIM signature? So it would make
sense that milter-greylist doesn't like it. But this can't be the
reason? Or the whole world would have this problem?

Anyone have any suggestions? If it's possible to turn off DKIM checking
that would be fine too AFAIC (preferably without the need for
recompiling). I've even whitelisted every outlook SMTP server (took me
an hour, they have some nice configuration issues there too :-(), but
that doesn't seem to help

Any help would be appreciated,

Thanks in advance,
Stefan

RE: [milter-greylist] Weird problem with Microsoft domains

2018-11-21 by Bruncsak, Attila

> > selector1._domainkey.outbound.protection.outlook.com
> ;; Truncated, retrying in TCP mode.
> Server:         127.0.0.53
> Address:        127.0.0.53#53
> 
> Non-authoritative answer:
> *** Can't find selector1._domainkey.outbound.protection.outlook.com: No answer

You must have an issue with the domain name resolution. Try to fix it. For me it just works:

$ dig +short txt selector1._domainkey.outbound.protection.outlook.com.
;; Truncated, retrying in TCP mode.
"v=DKIM1\;k=rsa\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5" "N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB\;n=2048,1452627113,1468351913"
$

Re: [milter-greylist] Weird problem with Microsoft domains

2018-11-21 by Stefan Suurmeijer

Hi Atilla,

DNS isn't the issue. Apparently nslookup (or my command) was the issue
there, since:

root@myhost:~# dig +short txt
selector1._domainkey.outbound.protection.outlook.com.
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"
"N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"

So with dig I do get the DKIM key. And my SPAMD milter also checks DKIM
and says "DKIM valid". The strange part is that with the same nslookup
sequence on for example gmail I don't get the same issue, but anyway,
apparently it isn't the reason for milter-greylist to complain. Which
means I still have no idea. Every other domain is working fine, but all
Microsoft domains get a "retry later" every single time they connect.

I'm running Ubuntu 18.04, sendmail, milter-greylist, clamav-milter and
spamasassin-milter.

Anyone have any ideas?

KR
Stefan



On 11/21/18 9:02 AM, 'Bruncsak, Attila' attila.bruncsak@...
[milter-greylist] wrote:
>  
>
> > > selector1._domainkey.outbound.protection.outlook.com
> > ;; Truncated, retrying in TCP mode.
> > Server: 127.0.0.53
> > Address: 127.0.0.53#53
> >
> > Non-authoritative answer:
> > *** Can't find selector1._domainkey.outbound.protection.outlook.com:
> No answer
>
> You must have an issue with the domain name resolution. Try to fix it.
> For me it just works:
>
> $ dig +short txt selector1._domainkey.outbound.protection.outlook.com.
> ;; Truncated, retrying in TCP mode.
> "v=DKIM1\;k=rsa\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"
> "N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB\;n=2048,1452627113,1468351913"
>
> $
>
> 

-- 
================================================================
Stefan Suurmeijer
Raptor Network & Web solutions
Woldweg 161a
NL-9606 PD Kropswolde, The Netherlands
tel: (+31) 50 363 9215 / (+31) 6 52 067 168 (cell)
E-mail: stefan@...
================================================================

PGP fingerprint: 2CC6 5313 2F58 862F 1542 AECF 2385 6F8A BC45 9F86

Always acknowledge a fault. This will throw those in authority off their guard and give you an opportunity to commit more - Mark Twain

Re: [milter-greylist] Weird problem with Microsoft domains

2018-11-21 by john

Hi Stefan

Have you tried to set dkim to none in the configuration file?

Best
John


Stavefejl og lignende krediteres min Samsung Galaxy 8.

-------- Oprindelig besked --------
Fra: "Stefan Suurmeijer stefan@raptorweb.nl [milter-greylist]" <milter-greylist@yahoogroups.com>
Dato: 21/11/2018 17.36 (GMT+08:00)
Til: milter-greylist@yahoogroups.com
Emne: Re: [milter-greylist] Weird problem with Microsoft domains

Hi Atilla,

DNS isn't the issue. Apparently nslookup (or my command) was the issue there, since:

root@myhost:~# dig +short txt selector1._domainkey.outbound.protection.outlook.com.
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5" "N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"

So with dig I do get the DKIM key. And my SPAMD milter also checks DKIM and says "DKIM valid". The strange part is that with the same nslookup sequence on for example gmail I don't get the same issue, but anyway, apparently it isn't the reason for milter-greylist to complain. Which means I still have no idea. Every other domain is working fine, but all Microsoft domains get a "retry later" every single time they connect.

I'm running Ubuntu 18.04, sendmail, milter-greylist, clamav-milter and spamasassin-milter.

Anyone have any ideas?

KR
Stefan



Show quoted textHide quoted text
On 11/21/18 9:02 AM, 'Bruncsak, Attila' attila.bruncsak@itu.int [milter-greylist] wrote:

> > selector1._domainkey.outbound.protection.outlook.com
> ;; Truncated, retrying in TCP mode.
> Server: 127.0.0.53
> Address: 127.0.0.53#53
>
> Non-authoritative answer:
> *** Can't find selector1._domainkey.outbound.protection.outlook.com: No answer

You must have an issue with the domain name resolution. Try to fix it. For me it just works:

$ dig +short txt selector1._domainkey.outbound.protection.outlook.com.
;; Truncated, retrying in TCP mode.
"v=DKIM1\;k=rsa\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5" "N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB\;n=2048,1452627113,1468351913"
$ 


-- 
================================================================
Stefan Suurmeijer
Raptor Network & Web solutions
Woldweg 161a
NL-9606 PD Kropswolde, The Netherlands
tel: (+31) 50 363 9215 / (+31) 6 52 067 168 (cell)
E-mail: stefan@raptorweb.nl
================================================================

PGP fingerprint: 2CC6 5313 2F58 862F 1542 AECF 2385 6F8A BC45 9F86

Always acknowledge a fault. This will throw those in authority off their guard and give you an opportunity to commit more - Mark Twain

Re: [milter-greylist] Weird problem with Microsoft domains

2018-11-21 by Stefan Suurmeijer

Hi John,

No, not yet! I was looking for a configuration option to disable DKIM. I
found this

/dkim   DKIM status (if build with DKIM support). Possible values are
pass, fail, unknown, error, and none/

in the man file. But that seemed more like an evaluation than an option
(status?)? How would configuring it work?

Something like

dacl greylist dkim outlook.com none
or
racl greylist dkim outlook.com none
??

Completely disabling DKIM evaluation for all domains is acceptable too,
don't need milter-greylist to check it for me.

Thanks
Stefan




On 11/21/18 11:38 AM, john john@hovedpuden.dk [milter-greylist] wrote:
>  
> Hi Stefan
>
> Have you tried to set dkim to none in  the configuration file?
>
> Best
> John
>
>
> Stavefejl og lignende krediteres min Samsung Galaxy 8.
>
> -------- Oprindelig besked --------
> Fra: "Stefan Suurmeijer stefan@... [milter-greylist]"
> <milter-greylist@yahoogroups.com>
> Dato: 21/11/2018 17.36 (GMT+08:00)
> Til: milter-greylist@yahoogroups.com
> Emne: Re: [milter-greylist] Weird problem with Microsoft domains
>
>  
>
> Hi Atilla,
>
> DNS isn't the issue. Apparently nslookup (or my command) was the issue
> there, since:
>
> root@myhost:~# dig +short txt
> selector1._domainkey.outbound.protection.outlook.com.
> "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"
> "N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"
>
> So with dig I do get the DKIM key. And my SPAMD milter also checks
> DKIM and says "DKIM valid". The strange part is that with the same
> nslookup sequence on for example gmail I don't get the same issue, but
> anyway, apparently it isn't the reason for milter-greylist to
> complain. Which means I still have no idea. Every other domain is
> working fine, but all Microsoft domains get a "retry later" every
> single time they connect.
>
> I'm running Ubuntu 18.04, sendmail, milter-greylist, clamav-milter and
> spamasassin-milter.
>
> Anyone have any ideas?
>
> KR
> Stefan
>
>
>
> On 11/21/18 9:02 AM, 'Bruncsak, Attila' attila.bruncsak@...t
> [milter-greylist] wrote:
>>  
>>
>> > > selector1._domainkey.outbound.protection.outlook.com
>> > ;; Truncated, retrying in TCP mode.
>> > Server: 127.0.0.53
>> > Address: 127.0.0.53#53
>> >
>> > Non-authoritative answer:
>> > *** Can't find
>> selector1._domainkey.outbound.protection.outlook.com: No answer
>>
>> You must have an issue with the domain name resolution. Try to fix
>> it. For me it just works:
>>
>> $ dig +short txt selector1._domainkey.outbound.protection.outlook.com.
>> ;; Truncated, retrying in TCP mode.
>> "v=DKIM1\;k=rsa\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"
>> "N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB\;n=2048,1452627113,1468351913"
>>
>> $
>>
>
> -- 
> ================================================================
> Stefan Suurmeijer
> Raptor Network & Web solutions
> Woldweg 161a
> NL-9606 PD Kropswolde, The Netherlands
> tel: (+31) 50 363 9215 / (+31) 6 52 067 168 (cell)
> E-mail: stefan@...
> ================================================================
>
> PGP fingerprint: 2CC6 5313 2F58 862F 1542 AECF 2385 6F8A BC45 9F86
>
> Always acknowledge a fault. This will throw those in authority off their guard and give you an opportunity to commit more - Mark Twain
> 

-- 
================================================================
Stefan Suurmeijer
Raptor Network & Web solutions
Woldweg 161a
NL-9606 PD Kropswolde, The Netherlands
tel: (+31) 50 363 9215 / (+31) 6 52 067 168 (cell)
E-mail: stefan@raptorweb.nl
================================================================

PGP fingerprint: 2CC6 5313 2F58 862F 1542 AECF 2385 6F8A BC45 9F86

Always acknowledge a fault. This will throw those in authority off their guard and give you an opportunity to commit more - Mark Twain

Re: [milter-greylist] Weird problem with Microsoft domains

2018-11-21 by john

Hi Stefan,

I understand now. It seems like you cannot disable DKIM easily.

Based on the link below, I assume something like
dacl greylist dkim none
Followed by similar for each other status
would disable DKIM.
https://milter-greylist.yahoogroups.narkive.com/WW7OvXTc/dkim-support-in-milter-greylist

Best
John



Stavefejl og lignende krediteres min Samsung Galaxy 8.

-------- Oprindelig besked --------
Fra: "Stefan Suurmeijer stefan@raptorweb.nl [milter-greylist]" <milter-greylist@yahoogroups.com>
Dato: 21/11/2018 19.06 (GMT+08:00)
Til: milter-greylist@yahoogroups.com
Emne: Re: [milter-greylist] Weird problem with Microsoft domains

Hi John,

No, not yet! I was looking for a configuration option to disable DKIM. I found this

dkim DKIM status (if build with DKIM support). Possible values are pass, fail, unknown, error, and none

in the man file. But that seemed more like an evaluation than an option (status?)? How would configuring it work?

Something like

dacl greylist dkim outlook.com none
or
racl greylist dkim outlook.com none
??

Completely disabling DKIM evaluation for all domains is acceptable too, don't need milter-greylist to check it for me.

Thanks
Stefan




Show quoted textHide quoted text
On 11/21/18 11:38 AM, john john@hovedpuden.dk [milter-greylist] wrote:
Hi Stefan

Have you tried to set dkim to none in the configuration file?

Best
John


Stavefejl og lignende krediteres min Samsung Galaxy 8.

-------- Oprindelig besked --------
Fra: "Stefan Suurmeijer stefan@raptorweb.nl [milter-greylist]" <milter-greylist@yahoogroups.com>
Dato: 21/11/2018 17.36 (GMT+08:00)
Emne: Re: [milter-greylist] Weird problem with Microsoft domains

Hi Atilla,

DNS isn't the issue. Apparently nslookup (or my command) was the issue there, since:

root@myhost:~# dig +short txt selector1._domainkey.outbound.protection.outlook.com.
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5" "N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"

So with dig I do get the DKIM key. And my SPAMD milter also checks DKIM and says "DKIM valid". The strange part is that with the same nslookup sequence on for example gmail I don't get the same issue, but anyway, apparently it isn't the reason for milter-greylist to complain. Which means I still have no idea. Every other domain is working fine, but all Microsoft domains get a "retry later" every single time they connect.

I'm running Ubuntu 18.04, sendmail, milter-greylist, clamav-milter and spamasassin-milter.

Anyone have any ideas?

KR
Stefan



On 11/21/18 9:02 AM, 'Bruncsak, Attila' attila.bruncsak@itu.int [milter-greylist] wrote:

> > selector1._domainkey.outbound.protection.outlook.com
> ;; Truncated, retrying in TCP mode.
> Server: 127.0.0.53
> Address: 127.0.0.53#53
>
> Non-authoritative answer:
> *** Can't find selector1._domainkey.outbound.protection.outlook.com: No answer

You must have an issue with the domain name resolution. Try to fix it. For me it just works:

$ dig +short txt selector1._domainkey.outbound.protection.outlook.com.
;; Truncated, retrying in TCP mode.
"v=DKIM1\;k=rsa\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5" "N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB\;n=2048,1452627113,1468351913"
$ 


-- 
================================================================
Stefan Suurmeijer
Raptor Network & Web solutions
Woldweg 161a
NL-9606 PD Kropswolde, The Netherlands
tel: (+31) 50 363 9215 / (+31) 6 52 067 168 (cell)
E-mail: stefan@raptorweb.nl
================================================================

PGP fingerprint: 2CC6 5313 2F58 862F 1542 AECF 2385 6F8A BC45 9F86

Always acknowledge a fault. This will throw those in authority off their guard and give you an opportunity to commit more - Mark Twain


-- 
================================================================
Stefan Suurmeijer
Raptor Network & Web solutions
Woldweg 161a
NL-9606 PD Kropswolde, The Netherlands
tel: (+31) 50 363 9215 / (+31) 6 52 067 168 (cell)
E-mail: stefan@raptorweb.nl
================================================================

PGP fingerprint: 2CC6 5313 2F58 862F 1542 AECF 2385 6F8A BC45 9F86

Always acknowledge a fault. This will throw those in authority off their guard and give you an opportunity to commit more - Mark Twain

Re: [milter-greylist] Weird problem with Microsoft domains

2018-11-21 by Mauricio Teixeira

The TXT record is too big for a UDP packet, so the system is retrying in TCP mode. Most likely your firewall is blocking DNS via TCP.
Show quoted textHide quoted text
On Tue, Nov 20, 2018 at 4:33 PM Stefan Suurmeijer stefan@raptorweb.nl [milter-greylist] <milter-greylist@yahoogroups.com> wrote:

Hi list,

I've recently installed milter-greylist on 2 new servers. But I'm running into a strange problem. Everything seems to work fine, except for mails coming from Microsoft domains.
Every time someone sends an e-mail from a Microsoft domain, milter-greylist throws a fit:

Nov 20 15:45:37 localhost milter-greylist: DKIM failed: Key retrieval failed
Nov 20 15:45:37 localhost sm-mta[26871]: wAKEjaDU026871: Milter: data, reject=451 4.3.2 Please try again later

This happens ONLY on Microsoft domains. And on every mail and re-send. All other domains are handled normally it seems. I've been searching for reasons, but coming up empty. The only weird thing I can find is that Microsoft seems to have some configuration issues on DKIM:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1;

nslookup:
root@myhost:~# nslookup
> set q=txt
> selector1._domainkey.outlook.com
;; Truncated, retrying in TCP mode.
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
selector1._domainkey.outlook.com canonical name = selector1._domainkey.outbound.protection.outlook.com.

Authoritative answers can be found from:
> selector1._domainkey.outbound.protection.outlook.com
;; Truncated, retrying in TCP mode.
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
*** Can't find selector1._domainkey.outbound.protection.outlook.com: No answer

Authoritative answers can be found from:

That's not good? Can't resolve the DKIM signature? So it would make sense that milter-greylist doesn't like it. But this can't be the reason? Or the whole world would have this problem?

Anyone have any suggestions? If it's possible to turn off DKIM checking that would be fine too AFAIC (preferably without the need for recompiling). I've even whitelisted every outlook SMTP server (took me an hour, they have some nice configuration issues there too :-(), but that doesn't seem to help

Any help would be appreciated,

Thanks in advance,
Stefan




--
Mauricio Teixeira
Raleigh/NC/USA
mauricio.teixeira{at}gmail.com

Re: [milter-greylist] Weird problem with Microsoft domains

2018-11-21 by Stefan Suurmeijer

Nope, it's not. If you can see my follow-up we already worked out that apparently my nslookup command was the issue, dig resolved just fine. But thanks for the suggestion
I'm now trying to somehow disable DKIM checking in the config file (see John's suggestions)

Thanks
Stefan
Show quoted textHide quoted text
On 11/21/18 5:09 PM, Mauricio Teixeira mauricio.teixeira@... [milter-greylist] wrote:
The TXT record is too big for a UDP packet, so the system is retrying in TCP mode. Most likely your firewall is blocking DNS via TCP.

On Tue, Nov 20, 2018 at 4:33 PM Stefan Suurmeijer stefan@... [milter-greylist] <milter-greylist@yahoogroups.com> wrote:

Hi list,

I've recently installed milter-greylist on 2 new servers. But I'm running into a strange problem. Everything seems to work fine, except for mails coming from Microsoft domains.
Every time someone sends an e-mail from a Microsoft domain, milter-greylist throws a fit:

Nov 20 15:45:37 localhost milter-greylist: DKIM failed: Key retrieval failed
Nov 20 15:45:37 localhost sm-mta[26871]: wAKEjaDU026871: Milter: data, reject=451 4.3.2 Please try again later

This happens ONLY on Microsoft domains. And on every mail and re-send. All other domains are handled normally it seems. I've been searching for reasons, but coming up empty. The only weird thing I can find is that Microsoft seems to have some configuration issues on DKIM:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;� s=selector1;

nslookup:
root@myhost:~# nslookup
> set q=txt
> selector1._domainkey.outlook.com
;; Truncated, retrying in TCP mode.
Server:�������� 127.0.0.53
Address:������� 127.0.0.53#53

Non-authoritative answer:
selector1._domainkey.outlook.com������� canonical name = selector1._domainkey.outbound.protection.outlook.com.

Authoritative answers can be found from:
> selector1._domainkey.outbound.protection.outlook.com
;; Truncated, retrying in TCP mode.
Server:�������� 127.0.0.53
Address:������� 127.0.0.53#53

Non-authoritative answer:
*** Can't find selector1._domainkey.outbound.protection.outlook.com: No answer

Authoritative answers can be found from:

That's not good? Can't resolve the DKIM signature? So it would make sense that milter-greylist doesn't like it. But this can't be the reason? Or the whole world would have this problem?

Anyone have any suggestions? If it's possible to turn off DKIM checking that would be fine too AFAIC (preferably without the need for recompiling). I've even whitelisted every outlook SMTP server (took me an hour, they have some nice configuration issues there too :-(), but that doesn't seem to help

Any help would be appreciated,

Thanks in advance,
Stefan




--
Mauricio Teixeira
Raleigh/NC/USA
mauricio.teixeira{at}gmail.com

-- 
================================================================
Stefan Suurmeijer
Raptor Network & Web solutions
Woldweg 161a
NL-9606 PD Kropswolde, The Netherlands
tel: (+31) 50 363 9215 / (+31) 6 52 067 168 (cell)
E-mail: stefan@...
================================================================

PGP fingerprint: 2CC6 5313 2F58 862F 1542 AECF 2385 6F8A BC45 9F86

Always acknowledge a fault. This will throw those in authority off their guard and give you an opportunity to commit more - Mark Twain

Re: [milter-greylist] Weird problem with Microsoft domains

2018-11-22 by manu@...

Stefan Suurmeijer stefan@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> Anyone have any suggestions? If it's possible to turn off DKIM checking
> that would be fine too AFAIC (preferably without the need for
> recompiling). 

There has been a recent change about DKIM key retrieval failure.
Before: it always produced a SMTP temporary failure
After: this can be used in ACL with dkim error clause.

Your problem will hence be fixed by upgrading.


-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Re: [milter-greylist] Weird problem with Microsoft domains

2018-11-26 by Stefan Suurmeijer

Hi Emmanuel,

that's good news! I've been unable to find release notes or changelogs about that though. In which version was it changed? http://milter-greylist.wikidot.com/changelog only describes until 4.5.14 and the latest version is 4.6.2?
The default debian/ubuntu version I'm running is 4.5.11, so there's room for upgrade there.
(Unofficial) Ubuntu packages are apparently available here https://www.binux.de/debian/trusty/milter-greylist/ although they list Trusty and Precise as versions. Is there nobody maintaining official Ubuntu versions?

KR
Stefan
Show quoted textHide quoted text
On 11/22/18 2:26 AM, manu@... [milter-greylist] wrote:
\ufffd

Stefan Suurmeijer stefan@... [milter-greylist]
wrote:

> Anyone have any suggestions? If it's possible to turn off DKIM checking
> that would be fine too AFAIC (preferably without the need for
> recompiling).

There has been a recent change about DKIM key retrieval failure.
Before: it always produced a SMTP temporary failure
After: this can be used in ACL with dkim error clause.

Your problem will hence be fixed by upgrading.

--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...


-- 
================================================================
Stefan Suurmeijer
Raptor Network & Web solutions
Woldweg 161a
NL-9606 PD Kropswolde, The Netherlands
tel: (+31) 50 363 9215 / (+31) 6 52 067 168 (cell)
E-mail: stefan@...
================================================================

PGP fingerprint: 2CC6 5313 2F58 862F 1542 AECF 2385 6F8A BC45 9F86

Always acknowledge a fault. This will throw those in authority off their guard and give you an opportunity to commit more - Mark Twain

Re: [milter-greylist] Weird problem with Microsoft domains

2018-11-27 by manu@...

Stefan Suurmeijer stefan@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> that's good news! I've been unable to find release notes or changelogs
> about that though. In which version was it changed?

At least it is present in 4.5.15.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.